Skill

azure-role-selector

Guide users to the correct Azure RBAC role for their identity and permissions requirements, following least-privilege principles. Use when a user asks which role to assign, needs help finding a built-in role, wants to create a custom role, or needs to understand Azure role assignments and permissions.

npx claudepluginhub atc-net/atc-agentic-toolkit --plugin azure

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Help users find and assign the correct Azure RBAC role with least-privilege access.

Supporting Assets

LICENSE.txt

SKILL.md

Similar Skills

azure-rbac

902

Identifies least-privilege Azure RBAC roles for identities, generates az CLI commands and Bicep code for assignments, and explains permissions required to grant roles.

azure

role-devops:azure-expert

Provides expert guidance on Azure production workloads including Entra ID/RBAC, VNets, AKS, Container Apps, App Service, Functions, SQL/Cosmos DB, storage, networking, security, monitoring, and cost management.

3 files4 tools

role-devops

iam-policy-design

Design and implement least-privilege IAM policies for cloud and on-premise environments.

infrastructure-security

Stats

Parent Repo Stars1

Parent Repo Forks1

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Azure Role Selector

Help users find and assign the correct Azure RBAC role with least-privilege access.

Workflow

Gather requirements — Ask what permissions the identity needs and on which resource scope (management group, subscription, resource group, or resource)
Search built-in roles — Use Azure MCP/documentation to find built-in roles matching the required permissions
Evaluate fit — Compare the role's permissions against what the user needs. Prefer the most restrictive role that covers all requirements
Custom role if needed — If no built-in role matches, use Azure MCP/extension_cli_generate to create a custom role definition with only the required permissions
Generate assignment — Use Azure MCP/extension_cli_generate to produce the CLI commands for the role assignment, and Azure MCP/bicepschema + Azure MCP/get_bestpractices to provide a Bicep snippet

Key Principles

Least privilege — Always recommend the most restrictive role that satisfies the requirements
Prefer built-in roles — Only suggest custom roles when no built-in role is a good fit
Scope matters — Assign at the narrowest scope possible (resource > resource group > subscription > management group)
Avoid Owner/Contributor unless explicitly justified — suggest more specific roles first

Common Role Categories

Category	Example Roles	When to suggest
Read-only	Reader, various *Reader roles	View access only
Data plane	Storage Blob Data Contributor, Key Vault Secrets User	Access to data within a resource
Operator	VM Contributor, Network Contributor	Manage specific resource types
Security	Security Reader, Security Admin	Security-related tasks
Monitoring	Monitoring Reader, Log Analytics Reader	Observability tasks

Tools

Azure MCP/documentation — Search for role definitions and permissions
Azure MCP/bicepschema — Generate Bicep code for role assignments
Azure MCP/extension_cli_generate — Generate CLI commands or custom role definitions
Azure MCP/get_bestpractices — Get RBAC best practices